EXPLORE DETECTIONS
Enumerate Windows Driver Loads
The query combines DriverLoad and Event_ModuleSummaryInfoEvent data to associate loaded driver hashes with their certificate details, simplifying file paths and aggregating filenames, subjects, and issuers for analysis of driver authenticity. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Enumerate%20Windows%20Driver%20Loads.md)
Evaluate Operating System Prevalence
This query counts how many Windows endpoints are running each OS version (like Windows 10, Windows 11, etc.) in your CrowdStrike environment. It groups endpoints by their current OS product name and returns the count for each version.
Exploitable Critical Vulnerabilities
Shows Critical CVEs that are considered exploitable (based on ExploitStatusEnum > 30). Results are aggregated by CVE and exploitability state, including the number of affected hosts.
External Connectons with Process
Failed and Successful User Logon Events
This query correlates successful and failed logon attempts per user account to identify potential compromise patterns, focusing on accounts with 4+ failed logons. It provides a comprehensive view of each user's authentication activity including password age and last successful access.
Failed logon attempt group by userName and unique Endpoint involved
Failed User Logon Thresholding
This query identifies Windows failed login attempts that exceed a threshold (5+ failures), helping detect potential brute force attacks or account compromise attempts
Falcon Sensor Heartbeat Timechart
This query plots a timechart showing the frequency of Falcon sensor heartbeat events across the environment.
Falcon Sensor Support Status
This query lists all active falcon sensors including their release date and support end date.
Falcon Sensor Version Drift Monitoring (Linux)
Compares CrowdStrike Falcon sensor major/minor versions (x.xx) over time for each host. The query detects version changes, classifies them as upgrades or downgrades, and outputs the timestamp of the change along with the previous and current version values.
Falcon Sensor Version Drift Monitoring (MacOS)
Compares CrowdStrike Falcon sensor major/minor versions (x.xx) over time for each host. The query detects version changes, classifies them as upgrades or downgrades, and outputs the timestamp of the change along with the previous and current version values.
Falcon Sensor Version Drift Monitoring (Windows)
Compares CrowdStrike Falcon sensor major/minor versions (x.xx) over time for each host. The query detects version changes, classifies them as upgrades or downgrades, and outputs the timestamp of the change along with the previous and current version values.
File Write Events with Human-Readable File Sizes
The query lists file write events and converts the file size into readable units (KB, MB, GB, or TB), displaying timestamps, host details, filenames, and both raw and formatted file sizes. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Case%20to%20convert%20Size%20to%20appropriate%20unit%20of%20measure.md)
Files Written to Removable Media
This query tracks files written to removable media (USB drives, external drives) across all platforms, aggregating the total data volume and file count per computer. It's useful for detecting potential data exfiltration attempts or monitoring removable media usage for compliance.
Find events that are scheduled
Find events triggered at a specific time
Find events triggered at logon
Find events triggered at startup
Find events triggered on an event
Find hidden scheduled tasks
Find OpenClaw on Endpoints
Identifies the installation, configuration, and execution of the OpenClaw (Moltbot/Clawdbot) autonomous AI agent. OpenClaw poses a significant risk for shadow AI and data exfiltration as it requires extensive permissions (Shell, APIs, Local Files) and is often controlled via messaging apps like WhatsApp or Telegram. # Detection Logic: ### Installation: Monitors for web-based install scripts (install.sh/ps1) and package manager activity (npm, npx, brew) related to OpenClaw. ### Configuration: Tracks file-write events to hidden user directories (.openclaw, .clawdbot, .moltbot) where plaintext API keys and skill configs are typically stored. ### Execution: Detects the Node.js-based gateway service starting on the default port 18789 or via specific command-line arguments.